Cloudformation-coverage-roadmap: AWS::LakeFormation::Permissions TableResource support for TableWildcard

It seems that documentation is outdated, since I've added TableWildcard: {}in CF template and it works

I can confirm, I was also able to provision access to all tables. I've submitted a request to have the documentation updated, thanks @kherkeladze!

Hi @kherkeladze or @colonmelvin. When I have TableWildcard: {} in my CF, it does not work though. I have got this error:

Resource does not exist or requester is not authorized to access requested permissions. (Service: AWSLakeFormation; Status Code: 400; Error Code: AccessDeniedException

Do you mind posting an example of what was done?

Hi @mt-rpranata, be sure you have grant permissions to the Glue database or Lake Formation administrator permissions. We used the follow CFT as a Terraform resource:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "databasepermissions": {
            "Type": "AWS::LakeFormation::Permissions",
            "Properties": {
                "DataLakePrincipal": {
                      "DataLakePrincipalIdentifier" : "${aws_iam_role.service_role_glue.arn}"
                },
                "Permissions": [
                    "ALL"
                ],
                "PermissionsWithGrantOption": [
                    "ALL"
                ],
                "Resource": {
                    "DatabaseResource": {
                        "Name": "${element(split(":",aws_glue_catalog_database.glue_database.id),1)}"
                    }
                }
            },
            "Metadata": {
                "AWS::CloudFormation::Designer": {
                    "id": "a23487d6-a0f3-4787-94b1-6ce2cee3dd46"
                }
            }
        },
            "tablepermissions": {
            "Type": "AWS::LakeFormation::Permissions",
            "Properties": {
                "DataLakePrincipal": {
                      "DataLakePrincipalIdentifier" : "${aws_iam_role.service_role_glue.arn}"
                },
                "Permissions": [
                    "ALL"
                ],
                "PermissionsWithGrantOption": [
                    "ALL"
                ],
                "Resource": {
                    "TableResource": {
                        "DatabaseName": "${element(split(":",aws_glue_catalog_database.glue_database.id),1)}",
                        "TableWildcard" : {}
                    }
                }
            }
        }
    }
}

Thank you @colonmelvin! I almost dig my way down to the rabbit hole of custom resource and do it through manual API call 🤕

Even when I temporarily test with the relax glue:* and lakeformation:* permission on my role to all the resources, I did not have the grantable lake formation on CF Execute Role. After reading your comment to make sure I have all the permission, just to be safe, I added Grantable: Super on the CF Execute Role so it can grant permission to other users, then everything is hunky-dory.

One thing that I still wrap my head around is that even when I have

• IAMAllowedPrincipals group on the Database permission
• My execute role has the Super grantable permission on the Database

I still need the Super grantable permission on ALL Tables for it to work. I don't need this if I specify a table name by the way 🤔

Anyway. Appreciated your help! 🙏

I have just tested it. The feature is available.
On the other hand, the cloudformation documentation is not up to date.
To avoid this confusion, can you please update the documentation here please https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lakeformation-permissions-tablewildcard.html?

Thank you